Question

Pixelicous on Wed, 14 Jun 2017 08:42:20

Hi,

Is it possible to provide a SPN account explicity permission to run specific runbooks?

I have control runbooks and function runbooks, i would like to provide that SPN account permission to run only the control runbooks and not accidentally run the function runbooks which would fail or get stuck in a loop.

I tried New-AzureRMRoleAssignment with role definition of automation operation on "/subscriptions/{SUBID}/resourcegroups/{automation_account_rg}/providers/Microsoft.Automation/automationAccounts/{automation_account_name}/runbooks/{runbookname}"

It actually puts on the permission, but the jobs themselves are run under the "/jobs/" path, and the cmdlet wasn't able to provide permission on that.

So i am stuck with having to provide automation operator to the SPN to the whole account, this means that if i cannot control which SPN will have control to which runbook, meaning i will need automation account per group in the company..

There is a topic of the same from 2014 - https://social.msdn.microsoft.com/Forums/azure/en-US/4da65512-0cd4-4ca9-ae7a-398832b45daf/permission-runbooks-on-per-user-basis?forum=windowsazurepack